Packet Analysis for Network Security

“I am convinced that there are only two

types of companies: those that have been

hacked and those that will be.”

Mueller, R. (2012). Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies. [online] FBI. Available at:

https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies

[Accessed 29 Jul. 2019].

Agenda

• Why Network Security?

• Attack Frameworks

• Detection analysis techniques

• List of Free Open Source Software (F.O.S.S)

• Overview of Security Onion

• Demo Time

2

Amount of attacks – SSH attack

3

• APNIC 46 Network security workshop, deployed 7

honeypots to a cloud service

• 21,077 attacks in 24 hours

• Top 5 sensors

– training06 (8,431 attacks)

– training01 (5,268 attacks)

– training04 (2,208 attacks)

– training07 (2,025 attacks)

– training03 (1,850 attacks)

Time of attack – RDP attack

4

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-rdp-exposed-the-threats-thats-already-at-your-door-wp.pdf

last accessed 24/07/2019

The 10 RDP honeypots logged a combined

4,298,513 failed login attempts over a 30-

day period

Legislative requirements

• Government intervention and regulation

– Europe, GDPR (General Data Protection Regulation)

– Australia, Notifiable Data Breaches (NDB) scheme

– United States, various State data breach notification Statutes

– India, Personal Data Protection Bill (Early 2020)

– China, Cybersecurity Law & draft Data Security Administrative

Measures

• Data protection laws of the world

– https://www.dlapiperdataprotection.com

5

Legislative requirements

6

https://www.dlapiperdataprotection.com/index.html

Attack Life Cycle

7

http://www.iacpcybercenter.org/resource-center/what-is-cyber-crime/cyber-attack-lifecycle/

Mitigate Cyber Security incidentsRelative

security

effectiveness

rating

Mitigation strategy Potential

user

resistance

Upfront cost

(staff,

equipment,

technical

complexity)

Ongoing

maintenance

cost (mainly

staff)

Mitigation strategies to detect cyber security incidents and respond

Excellent Continuous incident detection and response with automated

immediate analysis of centralised time-synchronised logs of

permitted and denied: computer events, authentication, file access

and network activity.

Low Very high Very high

Very good Host-based intrusion detection/prevention system to identify

anomalous behaviour during program execution e.g. process

injection, keystroke logging, driver loading and persistence.

Low Medium Medium

Very good Endpoint detection and response software on all computers to

centrally log system behaviour and facilitate incident response.

Microsoft’s free SysMon tool is an entry-level option.

Low Medium Medium

Very good Hunt to discover incidents based on knowledge of adversary

tradecraft. Leverage threat intelligence consisting of analysed

threat data with context enabling mitigating action, not just

indicators of compromise.

Low Very high Very high

Limited Network-based intrusion detection/prevention system using

signatures and heuristics to identify anomalous traffic both

internally and crossing network perimeter boundaries.

Low High Medium

Limited Capture network traffic to and from corporate computers storing

important data or considered as critical assets, and network traffic

traversing the network perimeter, to perform incident detection and

analysis.

Low High Medium

8

https://www.cyber.gov.au/sites/default/files/2019-03/Mitigation_Strategies_2017.pdf

NIST Cybersecurity Framework

9

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

NIST Cybersecurity Framework

• Anomalies and Events (AE) in the Detect (DE) functional

area, there are five subcategories:

– DE.AE-1: A baseline of network operations and expected data flows

for users and systems is established and managed

– DE.AE-2: Detected events are analyzed to understand attack targets

and methods

– DE.AE-3: Event data are aggregated and correlated from multiple

sources and sensors

– DE.AE-4: Impact of events is determined

– DE.AE-5: Incident alert thresholds are established

10

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

NIST Cybersecurity Framework

• DE.AE-2: Detected events are analyzed to understand

attack targets and methods

– CIS CSC 3, 6, 13, 15

– COBIT 5 DSS05.07

– ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8

– ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR

3.9, SR 6.1, SR 6.2

– ISO/IEC 27001:2013 A.12.4.1, A.16.1.1, A.16.1.4

– NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4

• AU-6 - Audit Review, Analysis, and Reporting;

• CA-7 – Continious Monitoring;

• IR-4 – Incident Hadling;

• SI-4 – Information System monitoring eg IDS, Automated tools, Alerts.

11

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

ATT&CK Matrix for Enterprise

https://attack.mitre.org – accessed 12th Nov 2018

ATT&CK Matrix for Enterprise

https://attack.mitre.org – accessed 12th Nov 2018

Packet analysis

Signature analysis

• Distinctive marks of known bad traffic used to generate alerts. – virus detection,

– malicious website or

– malware files.

• Distinctive marks include:– IP addresses

– Hostnames

– Offsets – for example, memory related exploit

– Debug information

– “Ego” strings (strings left in the code)

– Header information

Signature analysis

• An example could be detecting a nmap scan of a network by looking at the User-Agent string.

alert tcp $EXTERNAL_NET any -> any any (msg:"Nmap User-Agent

Observed"; flow:to_server,established; content:"User-Agent|3a|";

http_header; content:"|20|Nmap"; sid:1000001; rev:3;)

Session analysis

• Utilises the session metadata to determine what is happening during a session. – which devices causing the traffic

– the type of traffic or

– what data is being transferred.

• Looks at the behaviour of the sessions and looks for behaviour that is not normal.

Session analysis

• An example is once a network has been compromised, Domain Name Services (DNS) may be used to exfiltrate data.

https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/

Wireshark filter: “dns.qry.name.len > 20”

Which technique?

• Signature analysis – can be used to create the alert; then

• Session analysis – can help investigate the alert further.

FOSS Tools

• Open source network monitoring and log management tools:– Elasticsearch

– Logstash

– Kibana

– Snort

– Suricata

– Zeek (formerly Bro)

– Sguil

– Squert

– Tcpdump

* FOSS - Free Open Source Software

Log Management

• Logstash– used to gather data from multiple sources and transform it

for storage.

• Elasticsearch– distributed, RESTful search and analytics engine.

• Kibana– Visualisation tool for Elasticsearch and other data sets

https://www.elastic.co/products/

Intrusion Detection tools

• Snort– Intrusion detection system (IDS).

• Suricata– Intrusion detection system (IDS).

Network Monitoring

• Zeek (formerly Bro)– Network traffic analysis tool

• Sguil– collection of free software components for Network Security

Monitoring (NSM) and event driven analysis of IDS alerts

• Squert– web application that is used to query and view event data

stored in a Sguil database.

Packet capture

• TCPdump– command line utility used to capture and analyse packets on

network interfaces.

• Wireshark– utility used to capture and analyse packets on network

interfaces.

• Cloudshark– web-based utility used to analyse packet captures.

Lab Exercise

25

https://academy.apnic.net/en/virtual-labs/

TCPdump command example

# cd /opt/samples

# tcpdump -nn -r fake_av.pcap | wc -l

# tcpdump -nn -r fake_av.pcap | head

# tcpdump -nn -r fake_av.pcap | cut -f 3 -d " " | head

# tcpdump -nn -r fake_av.pcap 'tcp or udp' | cut -f 3 -d " " |

cut -f 1-4 -d "." | head

Display top 10 destinations

# tcpdump -nn -r fake_av.pcap 'tcp or udp' | cut -f 5 -d " " |

cut -f 1-4 -d "." | sort | uniq -c | sort -nr | head

-nn = don’t use DNS to resolve IPs and display port no

-r = replay pcap file

-f = field to select

-d = delimiter to use

TCPdump command example

# tcpdump -nn -r fake_av.pcap 'port 53' | head -5

# tcpdump -nn -r fake_av.pcap 'port 53' | grep -Ev

'(com|net|org|gov|mil|arpa)' | cut -f 9 -d " " | head

# tcpdump -nn -r fake_av.pcap 'port 53' | grep -Ev

'(com|net|org|gov|mil|arpa)' | cut -f 8 -d " " | grep -E '[a-

z]’

If a suspicious domain name is found, use https://www.virustotal.com/gui/home/url

To check if malicious

TCPdump command example

# cd /opt/samples/mta

# for capfile in $(ls *.pcap); do tcpdump -nn -r $capfile

'port 53' | grep -Ev '(com|net|org|gov|mil|arpa)' | cut -f 8

-d " " | grep -E '[a-z]'; done;

Check for plain text passwords in pcap files

# for capfile in $(ls *.pcap); do tcpdump -nn -r $capfile

port http or port ftp or port smtp or port imap or port pop3

or port telnet -lA | egrep -i -B5

'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=

|password=|pass:|user:|username:|password:|login:|pass |user

'; done;

-l = force line buffered mode

-A = include ascii strings from the capture

Security Onion

• Linux-based open source network monitoring and log management toolkit.

• Can be installed as a Virtual Machine (VM) or on a physical machine.

• Best practice is to use two network interfaces:1. Management Network

2. Monitored Network

https://securityonion.net

Security Onion

https://securityonion.readthedocs.io/en/latest/architecture.html

How to Install

• Straight forward, if experience installing Ubuntu 16.04– Download

• https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md

– Base install is similar to Ubuntu installation

– Once Ubuntu is installed double-click on the setup icon on the desktop.

– Select the evaluation mode, as this will install all the tools on the one machine (standalone).

Security Onion - commands

https://securityonion.readthedocs.io/en/latest/cheat-sheet.html

Command Description

sudo soup Update Security Onion (and Ubuntu)

sudo so-status Check service status

sudo sostat Generate Security Onion statistics

sudo so-start

sudo so-stop

sudo so-restart

Start all services

Stop all services

Restart all services

sudo so-user-add Add user for Sguil/Squert/Kibana

sudo rule-update Update rules after modifying file

sudo so-allow

sudo so-allow-view

Open ports for ufw

View current firewall rules

Security Onion - files

https://securityonion.readthedocs.io/en/latest/cheat-sheet.html

Folder / Files Description

/etc/nsm/ Location of configuration files

/etc/nsm/securityonion.conf Security Onion general settings

/opt/bro

/nsm/bro/logs

Location of Bro files

Location of Bro log files

/etc/elasticsearch Location of ElasticSearch files

/etc/logstash Location of LogStash files

/etc/kibana Location of Kibana files

/var/log Location of log files

/opt/samples Example packet capture files

Security Onion - rules

https://securityonion.readthedocs.io/en/latest/cheat-sheet.html

Folder / Files Description

/etc/nsm/rules/downloaded.rules Downloaded IDS rules

/etc/nsm/rules/local.rules Custom IDS rules

/etc/nsm/rules/threshold.conf Rule thresholds

/etc/nsm/pulledpork/disabledsid.conf Disabled rules by SID

/etc/nsm/pulledpork/modifysid.conf Modified rules

/etc/nsm/pulledpork/pulledpork.conf Pulled Pork Configuration

/etc/elastalert/rules Elastalert rules

Import packet captures

https://securityonion.readthedocs.io/en/latest/pcaps.html

https://securityonion.readthedocs.io/en/latest/so-import-pcap.html

Command Description

sudo tcpreplay -i ens34 -M10 fake_av.pcap Import the packet capture as new

traffic with the current date and

time, using interface ens34, limiting

to 10MB throughput

sudo so-replay Import all the sample packet

captures as new traffic with the

current date and time.

sudo so-import-pcap fake_av.pcap Import the traffic, whilst keeping

the timestamp the same as the

original packet capture date and

times.

Import packet captures

https://securityonion.readthedocs.io/en/latest/so-import-pcap.html

Command Description

capinfos {pcap file} Display statistics about the packet

capture file

tshark -F pcap -r {pcapng file} -w {pcap file} Convert packet capture Next Gen

file to earlier packet capture format

Lab Exercise

37

https://academy.apnic.net/en/virtual-labs/

Exercise

• Import the sample captured (pcap) files /opt/samples/markofu/jackcr-challenge.pcap

/opt/samples/markofu/outbound.pcap

sudo tcpreplay -i ens33 -M10 /opt/samples/markofu/jackcr-challenge.pcap

sudo tcpreplay -i ens33 -M10 /opt/samples/markofu/outbound.pcap

Exercise 1: Squert

• Q1– What type of malicious traffic is suspected?

• Q2: What is the top source IP and destination IP– Source __________, Destination __________ .

• Q3: What is the other IP address communicating with the top source IP?

Exercise 1: Squert

Exercise 1: Squert

Exercise 2: Sguil

• Question: What was the rule that generated the original alert?

Exercise 2: Sguil

Exercise 3: Sguil

• Question: What is the filename of the downloaded suspicious file?

Exercise 3: Sguil

• Question: What is the filename of the downloaded suspicious file?

Exercise 4: Wireshark/Netminer

• Question: Can the downloaded suspicious file be extracted?

Exercise 4: Wireshark

• Question: Can the downloaded suspicious file be extracted?

Exercise 5: Malicious file

• Q1: What is the md5 hash value of the downloaded file?

• Q2: When the hash value is submitted to Virus Total, is it found to be malicious?

Exercise 5: Malicious file

• Q1: What is the md5 hash value of the downloaded file?

• Q2: When the hash value is submitted to Virus Total, is it found to be malicious?

50